• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1945
  • Last Modified:

Detect whether "include inheritable permissions from this objects parent" for an active directory user object is checked for users

I need to generate a report of users for whom this checkbox is checked and is not checked. I would like to see if I can detect this programmatically using a power shell script. Could someone please show me how?
0
Julian123
Asked:
Julian123
  • 5
  • 4
1 Solution
 
soostibiCommented:
This one-liner uses Quest's AD Snapin and shows users with inheritance broken:

Get-QADUser -SizeLimit 0 | ?{$_.security.PermissionInheritanceLocked}

If you would like to see a full report:

Get-QADUser -SizeLimit 0 | Select-Object name, dn, @{n="InheritanceBroken";e={$_.security.PermissionInheritanceLocked}}
0
 
Julian123Author Commented:
I can't install additional tools like Quest's on the machine. How can one do this with PowerShell alone on W2k8 R2?
0
 
soostibiCommented:
Then try this:

$DN = ([ADSI]"").distinguishedName
$ds = new-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$dn","(objectcategory=user)")  
$ds.FindAll() | %{ 
    $user = $_.GetDirectoryEntry()  
    $blocked = $user.psbase.ObjectSecurity.AreAccessRulesProtected
    New-Object -TypeName PSObject -Property @{
        name = $user.cn[0]
        DN = $user.distinguishedName[0]
        BlockedInheritance = $blocked
    }
}

Open in new window

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
soostibiCommented:
And an R2 Active Directory Module solution:
Import-Module activedirectory
cd ad:
Get-ADUser -Filter {enabled -eq $true} | %{
    $user = $_
    $blocked = Get-Item $user.distinguishedname | %{get-acl $_.pspath} | %{$_.areaccessrulesprotected}
    New-Object -TypeName PSObject -Property @{
        name = $user.name
        DN = $user.distinguishedname
        BlockedInheritance = $blocked
    }
}

Open in new window

0
 
Julian123Author Commented:
I tried this and I got the error "unable to find a default server with active directory Web services running."

Any thoughts on that?

Thanks again for your help.
0
 
soostibiCommented:
Check the status of the Active Directory Web Service and start it on the DC.
0
 
Julian123Author Commented:
I logged on to the domain controller and did not find any service with this name.

Just so it's clear, the domain controller is 2003. The machine from which I am running the powershell script is 2008 R2.
0
 
soostibiCommented:
I see, in this case my solution @ID:35435961 should work.
0
 
Julian123Author Commented:
Great!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now